# Configuration Options

The Hatchet server and engine can be configured via `SERVER` and `DATABASE` environment variables. This document contains a list of all available options.

## Runtime Configuration

| Variable                        | Description                             | Default Value           |
| ------------------------------- | --------------------------------------- | ----------------------- |
| `SERVER_PORT`                   | Port for the core server                | `8080`                  |
| `SERVER_URL`                    | Full server URL, including protocol     | `http://localhost:8080` |
| `SERVER_GRPC_PORT`              | Port for the GRPC service               | `7070`                  |
| `SERVER_GRPC_BIND_ADDRESS`      | GRPC server bind address                | `127.0.0.1`             |
| `SERVER_GRPC_BROADCAST_ADDRESS` | GRPC server broadcast address           | `127.0.0.1:7070`        |
| `SERVER_GRPC_INSECURE`          | Controls if the GRPC server is insecure | `false`                 |
| `SERVER_SHUTDOWN_WAIT`          | Shutdown wait duration                  | `20s`                   |
| `SERVER_ENFORCE_LIMITS`         | Enforce tenant limits                   | `false`                 |
| `SERVER_ALLOW_SIGNUP`           | Allow new tenant signups                | `true`                  |
| `SERVER_ALLOW_INVITES`          | Allow new invites                       | `true`                  |
| `SERVER_ALLOW_CREATE_TENANT`    | Allow tenant creation                   | `true`                  |
| `SERVER_ALLOW_CHANGE_PASSWORD`  | Allow password changes                  | `true`                  |

## Database Configuration

| Variable                     | Description                  | Default Value |
| ---------------------------- | ---------------------------- | ------------- |
| `DATABASE_URL`               | PostgreSQL connection string | `127.0.0.1`   |
| `DATABASE_POSTGRES_HOST`     | PostgreSQL host              | `127.0.0.1`   |
| `DATABASE_POSTGRES_PORT`     | PostgreSQL port              | `5431`        |
| `DATABASE_POSTGRES_USERNAME` | PostgreSQL username          | `hatchet`     |
| `DATABASE_POSTGRES_PASSWORD` | PostgreSQL password          | `hatchet`     |
| `DATABASE_POSTGRES_DB_NAME`  | PostgreSQL database name     | `hatchet`     |
| `DATABASE_POSTGRES_SSL_MODE` | PostgreSQL SSL mode          | `disable`     |
| `DATABASE_MAX_CONNS`         | Max database connections     | `5`           |
| `DATABASE_LOG_QUERIES`       | Log database queries         | `false`       |
| `CACHE_DURATION`             | Cache duration               | `60s`         |

## Security Check Configuration

| Variable                         | Description             | Default Value                  |
| -------------------------------- | ----------------------- | ------------------------------ |
| `SERVER_SECURITY_CHECK_ENABLED`  | Enable security check   | `true`                         |
| `SERVER_SECURITY_CHECK_ENDPOINT` | Security check endpoint | `https://security.hatchet.run` |

## Limit Configuration

| Variable                                         | Description                      | Default Value |
| ------------------------------------------------ | -------------------------------- | ------------- |
| `SERVER_LIMITS_DEFAULT_TENANT_RETENTION_PERIOD`  | Default tenant retention period  | `720h`        |
| `SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_LIMIT`       | Default workflow run limit       | `1000`        |
| `SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_ALARM_LIMIT` | Default workflow run alarm limit | `750`         |
| `SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_WINDOW`      | Default workflow run window      | `24h`         |
| `SERVER_LIMITS_DEFAULT_WORKER_LIMIT`             | Default worker limit             | `4`           |
| `SERVER_LIMITS_DEFAULT_WORKER_ALARM_LIMIT`       | Default worker alarm limit       | `2`           |
| `SERVER_LIMITS_DEFAULT_EVENT_LIMIT`              | Default event limit              | `1000`        |
| `SERVER_LIMITS_DEFAULT_EVENT_ALARM_LIMIT`        | Default event alarm limit        | `750`         |
| `SERVER_LIMITS_DEFAULT_EVENT_WINDOW`             | Default event window             | `24h`         |
| `SERVER_LIMITS_DEFAULT_CRON_LIMIT`               | Default cron limit               | `5`           |
| `SERVER_LIMITS_DEFAULT_CRON_ALARM_LIMIT`         | Default cron alarm limit         | `2`           |
| `SERVER_LIMITS_DEFAULT_SCHEDULE_LIMIT`           | Default schedule limit           | `1000`        |
| `SERVER_LIMITS_DEFAULT_SCHEDULE_ALARM_LIMIT`     | Default schedule alarm limit     | `750`         |

## Alerting Configuration

| Variable                             | Description                | Default Value |
| ------------------------------------ | -------------------------- | ------------- |
| `SERVER_ALERTING_SENTRY_ENABLED`     | Enable Sentry for alerting |               |
| `SERVER_ALERTING_SENTRY_DSN`         | Sentry DSN                 |               |
| `SERVER_ALERTING_SENTRY_ENVIRONMENT` | Sentry environment         | `development` |

## Encryption Configuration

| Variable                                      | Description                                    | Default Value |
| --------------------------------------------- | ---------------------------------------------- | ------------- |
| `SERVER_ENCRYPTION_MASTER_KEYSET`             | Raw master keyset, base64-encoded JSON string  |               |
| `SERVER_ENCRYPTION_MASTER_KEYSET_FILE`        | Path to the master keyset file                 |               |
| `SERVER_ENCRYPTION_JWT_PUBLIC_KEYSET`         | Public JWT keyset, base64-encoded JSON string  |               |
| `SERVER_ENCRYPTION_JWT_PUBLIC_KEYSET_FILE`    | Path to the public JWT keyset file             |               |
| `SERVER_ENCRYPTION_JWT_PRIVATE_KEYSET`        | Private JWT keyset, base64-encoded JSON string |               |
| `SERVER_ENCRYPTION_JWT_PRIVATE_KEYSET_FILE`   | Path to the private JWT keyset file            |               |
| `SERVER_ENCRYPTION_CLOUDKMS_ENABLED`          | Whether Google Cloud KMS is enabled            | `false`       |
| `SERVER_ENCRYPTION_CLOUDKMS_KEY_URI`          | URI of the key in Google Cloud KMS             |               |
| `SERVER_ENCRYPTION_CLOUDKMS_CREDENTIALS_JSON` | JSON credentials for Google Cloud KMS          |               |

## Authentication Configuration

| Variable                               | Description                                               | Default Value                    |
| -------------------------------------- | --------------------------------------------------------- | -------------------------------- |
| `SERVER_AUTH_RESTRICTED_EMAIL_DOMAINS` | Restricted email domains                                  |                                  |
| `SERVER_AUTH_BASIC_AUTH_ENABLED`       | Whether basic auth is enabled                             | `true`                           |
| `SERVER_AUTH_SET_EMAIL_VERIFIED`       | Whether the user's email is set to verified automatically | `false`                          |
| `SERVER_AUTH_COOKIE_NAME`              | Name of the cookie                                        | `hatchet`                        |
| `SERVER_AUTH_COOKIE_DOMAIN`            | Domain for the cookie                                     |                                  |
| `SERVER_AUTH_COOKIE_SECRETS`           | Cookie secrets                                            |                                  |
| `SERVER_AUTH_COOKIE_INSECURE`          | Whether the cookie is insecure                            | `false`                          |
| `SERVER_AUTH_GOOGLE_ENABLED`           | Whether Google auth is enabled                            | `false`                          |
| `SERVER_AUTH_GOOGLE_CLIENT_ID`         | Google auth client ID                                     |                                  |
| `SERVER_AUTH_GOOGLE_CLIENT_SECRET`     | Google auth client secret                                 |                                  |
| `SERVER_AUTH_GOOGLE_SCOPES`            | Google auth scopes                                        | `["openid", "profile", "email"]` |
| `SERVER_AUTH_GITHUB_ENABLED`           | Whether GitHub auth is enabled                            | `false`                          |
| `SERVER_AUTH_GITHUB_CLIENT_ID`         | GitHub auth client ID                                     |                                  |
| `SERVER_AUTH_GITHUB_CLIENT_SECRET`     | GitHub auth client secret                                 |                                  |
| `SERVER_AUTH_GITHUB_SCOPES`            | GitHub auth scopes                                        | `["read:user", "user:email"]`    |

## Task Queue Configuration

| Variable                       | Description        | Default Value |
| ------------------------------ | ------------------ | ------------- |
| `SERVER_MSGQUEUE_KIND`         | Message queue kind | `rabbitmq`    |
| `SERVER_MSGQUEUE_RABBITMQ_URL` | RabbitMQ URL       |               |

## TLS Configuration

| Variable                  | Description                      | Default Value |
| ------------------------- | -------------------------------- | ------------- |
| `SERVER_TLS_STRATEGY`     | TLS strategy                     |               |
| `SERVER_TLS_CERT`         | TLS certificate                  |               |
| `SERVER_TLS_CERT_FILE`    | Path to the TLS certificate file |               |
| `SERVER_TLS_KEY`          | TLS key                          |               |
| `SERVER_TLS_KEY_FILE`     | Path to the TLS key file         |               |
| `SERVER_TLS_ROOT_CA`      | TLS root CA                      |               |
| `SERVER_TLS_ROOT_CA_FILE` | Path to the TLS root CA file     |               |
| `SERVER_TLS_SERVER_NAME`  | TLS server name                  |               |

## Logging Configuration

| Variable                 | Description   | Default Value |
| ------------------------ | ------------- | ------------- |
| `SERVER_LOGGER_LEVEL`    | Logger level  |               |
| `SERVER_LOGGER_FORMAT`   | Logger format |               |
| `DATABASE_LOGGER_LEVEL`  | Logger level  |               |
| `DATABASE_LOGGER_FORMAT` | Logger format |               |

## OpenTelemetry Configuration

| Variable                    | Description                                                | Default Value |
| --------------------------- | ---------------------------------------------------------- | ------------- |
| `SERVER_OTEL_SERVICE_NAME`  | Service name for OpenTelemetry                             |               |
| `SERVER_OTEL_COLLECTOR_URL` | Collector URL for OpenTelemetry                            |               |
| `SERVER_OTEL_INSECURE`      | Whether to use an insecure connection to the collector URL |               |

## Tenant Alerting Configuration

| Variable                                     | Description                      | Default Value          |
| -------------------------------------------- | -------------------------------- | ---------------------- |
| `SERVER_TENANT_ALERTING_SLACK_ENABLED`       | Enable Slack for tenant alerting |                        |
| `SERVER_TENANT_ALERTING_SLACK_CLIENT_ID`     | Slack client ID                  |                        |
| `SERVER_TENANT_ALERTING_SLACK_CLIENT_SECRET` | Slack client secret              |                        |
| `SERVER_TENANT_ALERTING_SLACK_SCOPES`        | Slack scopes                     | `["incoming-webhook"]` |
